2019-04-26 18:24:29 +00:00
# Using Chef InSpec on Cloud Platforms
2018-02-14 19:15:20 +00:00
2019-04-26 18:24:29 +00:00
As of Chef InSpec 2.0, we have expanded our platform support beyond individual machines and now include support for select AWS and Azure resources.
2018-02-14 19:15:20 +00:00
2019-04-26 18:24:29 +00:00
Using InSpec, you can use several Chef InSpec resources to audit properties of your cloud infrastructure - for example, an Amazon Web Services S3 bucket.
2018-02-14 19:15:20 +00:00
2018-02-19 22:29:19 +00:00
< br >
2018-10-15 22:25:27 +00:00
## AWS Platform Support in InSpec
2018-02-14 19:15:20 +00:00
### Setting up AWS credentials for InSpec
2019-04-26 18:24:29 +00:00
Chef InSpec uses the standard AWS authentication mechanisms. Typically, you will create an IAM user specifically for auditing activities.
2018-02-14 19:15:20 +00:00
2018-02-19 22:29:19 +00:00
* 1 Create an IAM user in the AWS console, with your choice of username. Check the box marked "Programmatic Access."
2019-04-26 18:24:29 +00:00
* 2 On the Permissions screen, choose Direct Attach. Select the AWS-managed IAM Profile named "ReadOnlyAccess." If you wish to restrict the user further, you may do so; see individual Chef InSpec resources to identify which permissions are required.
2018-02-19 22:29:19 +00:00
* 3 After generating the key, record the Access Key ID and Secret Key.
2018-02-14 19:15:20 +00:00
#### Using Environment Variables to provide credentials
2019-04-26 18:24:29 +00:00
You may provide the credentials to Chef InSpec by setting the following environment variables: `AWS_REGION` , `AWS_ACCESS_KEY_ID` , and `AWS_SECRET_KEY_ID` . You may also use `AWS_PROFILE` , or if you are using MFA, `AWS_SESSION_TOKEN` . See the [AWS Command Line Interface Docs ](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html ) for details.
2018-02-14 19:15:20 +00:00
Once you have your environment variables set, you can verify your credentials by running:
```bash
2018-02-16 21:47:16 +00:00
you$ inspec detect -t aws://
2018-02-14 19:15:20 +00:00
== Platform Details
2018-02-16 21:47:16 +00:00
Name: aws
Families: cloud, api
Release: aws-sdk-v2.10.125
2018-02-14 19:15:20 +00:00
```
2019-04-26 18:24:29 +00:00
#### Using the Chef InSpec target option to provide credentials on AWS
2018-02-14 19:15:20 +00:00
2018-02-19 22:29:19 +00:00
Look for a file in your home directory named `~/.aws/credentials` . If it does not exist, create it. Choose a name for your profile; here, we're using the name 'auditing'. Add your credentials as a new profile, in INI format:
2018-02-14 19:15:20 +00:00
2018-02-19 22:29:19 +00:00
```bash
2018-02-14 19:15:20 +00:00
[auditing]
aws_access_key_id = AKIA....
aws_secret_access_key = 1234....abcd
```
2019-04-26 18:24:29 +00:00
You may now run Chef InSpec using the `--target` / `-t` option, using the format `-t aws://region/profile` . For example, to connect to the Ohio region using a profile named 'auditing', use `-t aws://us-east-2/auditing` .
2018-02-14 19:15:20 +00:00
2018-02-16 21:47:16 +00:00
To verify your credentials,
2018-02-19 22:29:19 +00:00
2018-02-14 19:15:20 +00:00
```bash
2018-02-16 21:47:16 +00:00
you$ inspec detect -t aws://
2018-02-14 19:15:20 +00:00
== Platform Details
2018-02-16 21:47:16 +00:00
Name: aws
Families: cloud, api
Release: aws-sdk-v2.10.125
2018-02-14 19:15:20 +00:00
```
2018-02-19 22:29:19 +00:00
< br >
2018-02-14 19:15:20 +00:00
2018-10-15 22:25:27 +00:00
## Azure Platform Support in InSpec
2018-02-14 19:15:20 +00:00
### Setting up Azure credentials for InSpec
2019-04-26 18:24:29 +00:00
To use Chef InSpec Azure resources, you will need to create a Service Principal Name (SPN) for auditing an Azure subscription.
2018-02-14 19:15:20 +00:00
This can be done on the command line or from the Azure Portal:
2018-02-19 22:29:19 +00:00
* [Azure CLI ](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-authenticate-service-principal-cli )
* [PowerShell ](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-authenticate-service-principal )
* [Azure Portal ](https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-create-service-principal-portal )
2018-02-14 23:52:36 +00:00
2019-04-26 18:24:29 +00:00
The information from the SPN can be specified either in the file `~/.azure/credentials` , as environment variables, or by using Chef InSpec target URIs.
2018-02-14 19:15:20 +00:00
2018-02-19 22:29:19 +00:00
#### Setting up the Azure Credentials File
2018-02-14 19:15:20 +00:00
2019-04-26 18:24:29 +00:00
By default Chef InSpec is configured to look at ~/.azure/credentials, and it should contain:
2018-02-14 19:15:20 +00:00
2018-02-19 22:29:19 +00:00
```powershell
2018-02-14 19:15:20 +00:00
[< SUBSCRIPTION_ID > ]
client_id = "< CLIENT_ID > "
client_secret = "< CLIENT_SECRET > "
tenant_id = "< TENANT_ID > "
```
2018-02-19 22:29:19 +00:00
NOTE: In the Azure web portal, these values are labeled differently:
* The client_id is referred to as the 'Application ID'
* The client_secret is referred to as the 'Key (Password Type)'
* The tenant_id is referred to as the 'Directory ID'
2018-02-16 21:47:16 +00:00
2018-02-14 19:15:20 +00:00
With the credentials are in place you may now execute InSpec:
```bash
inspec exec my-inspec-profile -t azure://
```
2018-02-19 22:29:19 +00:00
#### Using Environment variables to provide credentials
2018-02-14 19:15:20 +00:00
You may also set the Azure credentials via environment variables:
2018-02-19 22:29:19 +00:00
* `AZURE_SUBSCRIPTION_ID`
* `AZURE_CLIENT_ID`
* `AZURE_CLIENT_SECRET`
* `AZURE_TENANT_ID`
2018-02-14 19:15:20 +00:00
For example:
```bash
AZURE_SUBSCRIPTION_ID="2fbdbb02-df2e-11e6-bf01-fe55135034f3" \
AZURE_CLIENT_ID="58dc4f6c-df2e-11e6-bf01-fe55135034f3" \
AZURE_CLIENT_SECRET="Jibr4iwwaaZwBb6W" \
AZURE_TENANT_ID="6ad89b58-df2e-11e6-bf01-fe55135034f3" inspec exec my-profile -t azure://
```
2019-04-26 18:24:29 +00:00
#### Using the Chef InSpec target option to provide credentials on Azure
2018-02-14 19:15:20 +00:00
2019-04-26 18:24:29 +00:00
If you have created a `~/.azure/credentials` file as above, you may also use the Chef InSpec command line `--target` / `-t` option to select a subscription ID. For example:
2018-02-14 19:15:20 +00:00
```bash
inspec exec my-profile -t azure://2fbdbb02-df2e-11e6-bf01-fe55135034f3
2018-10-15 22:25:27 +00:00
```